[dns-operations] rate-limiting state
Patrick W. Gilmore
patrick at ianai.net
Fri Feb 7 13:50:24 UTC 2014
On Feb 07, 2014, at 07:09 , Tony Finch <dot at dotat.at> wrote:
> Colm MacCárthaigh <colm at stdlib.net> wrote:
>> I don't see anyone disputing my example, and I'm not calling out RRLs
>> ability to dampen a reflection attack. I'm saying that RRL can be used to
>> counter-attack your users. Let's say a busy website gets 1,000 QPS of
>> "real" user queries. If I want those queries to survive say with 2 retries,
>> then I need to let through 40% of traffic to have a 95p confidence of them
>> getting an answer. Yes, I'll have mitigated the reflection to 4Gbit/sec,
>> but meanwhile users will be seeing increased resolution times and timeouts.
>
> You seem to be assuming that RRL is a blanket rate limit. It is not.
>
> If my busy name server is getting 1000 qps of real traffic from all over
> the net, and 1000 qps of attack traffic "from" some victim, then RRL will
> attenuate responses to the victim without affecting other users.
>
> In the absence of RRL, the victim will be denied service by overwhelming
> traffic. In the presence of RRL the victim might have slightly slower DNS
> resolution.
Not just the victim.
Let's all agree Colm is a bit confused on both how RRL works and the failure modes we are discussing. Then we can go back to arguing about other useless stuff instead of arguing about this useless stuff. :)
--
TTFN,
patrick
More information about the dns-operations
mailing list